cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

873
Views
8
Helpful
8
Replies
Highlighted
Cisco Employee

Certificate warning from switch while in pre-posture state

When using Microsoft Office 365 Exchange cloud service and posture on the switch, clients are getting a self-signed certificate warning from the switch. This is due to the application trying to be accessed by the client machine prior to posture completing. Is there a permanent way to fix this? When we used on-premise email, we denied the IP addresses of the servers explicitly in the posture redirect ACL but this is not a feasible solution now that this is maintained in the cloud. We have been told to put 'no ip http secure-server' on the switch but want to know if this will cause any issues with posture discovery or redirection? Is this expected behavior or is there a workaround?

3 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: Certificate warning from switch while in pre-posture state

Thanks for the input on this and the concern was if there would be an adverse affect if 'no ip http secure-server' was configured on the switch since it shows as optional in our Universal switch configuration guide. Configuring this command resolved the issue for the customer since the switch no longer intercepted HTTPS traffic and redirected it to ISE. After consulting with BU, it was confirmed the NAD does not have to intercept HTTPS traffic for AnyConnect posture to work correctly and HTTP is enough. Using the 'ip http secure-server' command on the switch is up to the customer.

View solution in original post

VIP Engager

Re: Certificate warning from switch while in pre-posture state

You don't need HTTPS and you are redirecting too much traffic.  Assuming you are not using the client provisioning portal to install AnyConnect Posture Module (you really shouldn't be), you only need to redirect the traffic used for posture discovery:

 

  1. Port 80 to the default gateway
  2. Port 80 to enroll.cisco.com.
  3. Port 80 to your discovery host

If you want to block traffic preposture use a DACL for that.  My standard posture redirect ACL, assuming client GWs are .1 and their a 10.x.x.x network, is:

ip access-list extended POSTURE-DISCOVERY
 permit tcp any 10.0.0.1 0.255.255.0 eq 80
 permit tcp any host 72.163.1.80 eq 80
 deny ip any any

 

That won't affect any traffic other than the GW and enroll.cisco.com traffic.

View solution in original post

VIP Engager

Re: Certificate warning from switch while in pre-posture state

Make sure the ACL works for new posture clients as well. If a client has postured before it will store the last PSN it reported posture too and posture discovery will still work even if the redirect ACL is wrong for posture discovery. If you want to simulate a new client remove the ISEPostureCFG.xml file from your C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\ISE Posture directory and restart the posture service.


View solution in original post

8 REPLIES 8
Cisco Employee

Re: Certificate warning from switch while in pre-posture state

It sounds like you are temporarily quarantining endpoints that are not compliant which limits their access to email and other applications.

ISE cannot stop/prevent applications from trying to use the network - it can only authorize access based on the desired polices using enforcement on the switch. The resulting behavior and alerts in the applications is a function of the limited access.

Typically you want and need HTTP and HTTPS services ENABLED on the network device in order to capture :80 and :443 traffic and perform URL redirection to ISE for web-authentication or notification ("You have been quarantined because your OS/software requires updates...". Disabling these either HTTP or HTTPS services will prevent URL redirection on the respective port.

Cisco Employee

Re: Certificate warning from switch while in pre-posture state

Thanks for the input on this and the concern was if there would be an adverse affect if 'no ip http secure-server' was configured on the switch since it shows as optional in our Universal switch configuration guide. Configuring this command resolved the issue for the customer since the switch no longer intercepted HTTPS traffic and redirected it to ISE. After consulting with BU, it was confirmed the NAD does not have to intercept HTTPS traffic for AnyConnect posture to work correctly and HTTP is enough. Using the 'ip http secure-server' command on the switch is up to the customer.

View solution in original post

Cisco Employee

Re: Certificate warning from switch while in pre-posture state

Correct HTTPS is not needed and is not recommended.

https://communities.cisco.com/thread/79494?start=0&tstart=0

In ISE 2.2 you are able to use posture without any redirection at all

You can tell the new clients to go to getmyagent.company.com when they first need to load the agent.

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-22/210523-ISE-posture-style-comparison-for-pre-and.html

Beginner

Re: Certificate warning from switch while in pre-posture state

any solution for this issue.

it seems like ip http secure-server is a requirement for posture|client provisioning to work

I have disable https ( using no ip http secure-server), and after disabling it users posture is not working.

VIP Engager

Re: Certificate warning from switch while in pre-posture state

You don't need HTTPS and you are redirecting too much traffic.  Assuming you are not using the client provisioning portal to install AnyConnect Posture Module (you really shouldn't be), you only need to redirect the traffic used for posture discovery:

 

  1. Port 80 to the default gateway
  2. Port 80 to enroll.cisco.com.
  3. Port 80 to your discovery host

If you want to block traffic preposture use a DACL for that.  My standard posture redirect ACL, assuming client GWs are .1 and their a 10.x.x.x network, is:

ip access-list extended POSTURE-DISCOVERY
 permit tcp any 10.0.0.1 0.255.255.0 eq 80
 permit tcp any host 72.163.1.80 eq 80
 deny ip any any

 

That won't affect any traffic other than the GW and enroll.cisco.com traffic.

View solution in original post

Beginner

Re: Certificate warning from switch while in pre-posture state

Awesome Paul, I tweaked my redirect ACL as per your recommendation and its working like a charm.

Tanks for saving me some time and headache.

VIP Engager

Re: Certificate warning from switch while in pre-posture state

Make sure the ACL works for new posture clients as well. If a client has postured before it will store the last PSN it reported posture too and posture discovery will still work even if the redirect ACL is wrong for posture discovery. If you want to simulate a new client remove the ISEPostureCFG.xml file from your C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\ISE Posture directory and restart the posture service.


View solution in original post

Cisco Employee

Re: Certificate warning from switch while in pre-posture state

paul is correct. ISE Posture does not need "ip http secure-server" at all. If you still have trouble in getting it to work, please engage Cisco TAC.